OpenVPN Speed Issue

[MoonDogg]

Here is what I got. RT-N66U on 378.55.
My Inet Speed is 25Mbps Down and 2.5Mbps up
Naked Speed test 2o down 2 up
VPN test on computer 17-18 down 2 up I get the same speeds on PIA VPN.
VPN test on router 10down 2 up

I know the CPU is the bottle neck it spikes to 80% when doing speed test. I have done a lot of tweaks with the settings to get the speed I got. The VPN server I am connecting to is on a MikroTik Cloud Core router connected to a 1Gbps fiber. Unfortunately it only supports TCP clients so that is a bottle neck as well. I have control of both sides of this connection if anyone has any suggestions I would appreciate it.

If upgrading my home router is the best solution which would you suggest? I have no devices that are currently 802.11ac so that is not important. My only concern is getting the VPN as fast as it can be. Thanks for any help.

 

[MediaMan09]

I will be watching this thread with great interest. Just started dabbling into this, first with OpenVPN as a windows client, and now on the tourer (AC68U)/

My VPN speed is awful on the first try so I have lots of work to do re settings and selection of servers. Without VPN, my service is 80 Mbps down and 10 Mbps up. With OpenVPN on the router it's like 15 Mbps down which is pretty awful , and that's with UDP(!), but I just just set it up now with default settings.

Can you post/share your settings?

 

[Branjo Snow]

I'm using the AC68P and my speeds with the PIA VPN app in windows give me the same advertised speeds as I get without it, i.e 75 down (I actually get 90 though) and 10 up (actually get 11). Now running the VPN through the router my speeds drop to thus, 30 down but still 11 up UDP. I am a novice at this stuff myself but I assume its just the weak CPU's of routers versus the CPUs from desktops with regards to the encryption settings. The AC68P has a dual core CPU at 1Ghz.

Now this being said I only used to get 10 down with the VPN enabled before I updated the firmware to 378.55, but I have to also add that my ISP comcast upped my speeds from 50 down to 75 down. Maybe the bump in bandwidth coupled with Merlins latest release helped quite a bit.

 

[MediaMan09]

..
VPN test on computer 17-18 down 2 up I get the same speeds on PIA VPN.
VPN test on router 10down 2 up....

Forgive my ignorance but are you referring to generic testing you are doing or an actual benchmark tool?

 

[MediaMan09]

Here is a quick snapshot on my speed... pretty poor on the router. I am currently the only one on my home network so the router is not working hard on anything else.

If this is typical of what I can expect, may need to forget this option and install the Windows clients on the individual devices. Not nearly as convenient, and at times I would hit a concurrent use limit, unless I changed my plan.

 

[Branjo Snow]

Here is a quick snapshot on my speed... pretty poor on the router. I am currently the only one on my home network so the router is not working hard on anything else.

If this is typical of what I can expect, may need to forget this option and install the Windows clients on the individual devices. Not nearly as convenient, and at times I would hit a concurrent use limit, unless I changed my plan.

View attachment 4324

Wow that is quite a hit you are taking there.

 

[MediaMan09]

Wow that is quite a hit you are taking there.

Indeed, but it only day one at this. Hope to improve it, a bit, with a lot of trouble shooting.

 

[MoonDogg]

Forgive my ignorance but are you referring to generic testing you are doing or an actual benchmark tool?

Its an actual benchmark done on speedtest.net. I was just giving avg. of several speed test done.

 

[MoonDogg]

Here is a quick snapshot on my speed... pretty poor on the router. I am currently the only one on my home network so the router is not working hard on anything else.

If this is typical of what I can expect, may need to forget this option and install the Windows clients on the individual devices. Not nearly as convenient, and at times I would hit a concurrent use limit, unless I changed my plan.

View attachment 4324

Thanks well upgrading to an AC68U would not get the results I want.

 

[MoonDogg]

BTW here is my client config file if anyone interested.

dev tun
proto tcp-client

remote ***.***.***.*** 1194

ca ca.crt
cert ***.crt
key ***.key

nobind
tls-client
port 1194

ping 15
ping-restart 300
ping-timer-rem
persist-tun
persist-key

sndbuf 0
rcvbuf 0

tun-mtu 1500
mssfix 1400

verb 3

cipher AES-256-CBC
auth SHA1
pull

redirect-gateway def1

auth-user-pass

 

[MediaMan09]

Everything I have been reading on the subject suggests significant performance hits are a given and as such ,its a bit discouraging/hopeless at this stage to try and workaround it, given observation like :

• OpenVPN client software seems like from last century - it only can utilize one core, so it does not benefit directly from these routers dual code CPUs.
• OpenVPN isn't really designed to scale well on multiple CPUs at this time. This is something that the developers intend to address with OpenVPN 3.x.

The last bullet is from Merlin.

I think i'll be waiting on the sidelines until the next generation is ready for prime time. Taking such huge hits on performance with a router implementation, via a desktop one, doesn't make sense for me. The OpenVPN Client is a bit nasty to work with, but at least I don't have to drop from a hi-speed connection to a fraction of it.

I was hoping there would be a cleaner client to use instead of OpenVPN client, but so far have not found one. I tried to Add a VPN connection in native Windows 10 Network Conenctions- it works but gives me router-like performance. So, I guess I'm just stuck with the client for now if I want the masking/encryption.

 

[Branjo Snow]

Yeah I just ended up using the windows program for my VPN, least that way I get pretty much no performance hit at all. Using PIA btw.

 

[MediaMan09]

I like PIA as well. They were on my short list. Very responsive to a request I made for them to whitelist my email service during my trial with them. I did not end up staying though because of (1) they were not offering a bundled DNS service that I was also after for unblocking US contect from up here in the cold white north ( although its 90 degrees right now!) and (2), ironically, because of performance conerns ( 29 pages of it discussed here from 2013 to present day). But yours seems faster than mine comparing your router based 30 Mbps to my 15 Mbps, so go figure.

But we both started from 90 Mbps, and that's the point.

Router based OpenVPN cleint sounded so good in concept - hope it gets "fixed" soon.

 

[john9527]

Thanks well upgrading to an AC68U would not get the results I want.

You may indeed get better results on an AC68U with Merlin. Merlin's firmware loads the VPN code to the alternate core instead of having it share the core with the one doing most of the 'router' functions. People have seen 50% to over 100% improvement in speeds with this change.

 

[MediaMan09]

Some related questions:

OPENVPN CLIENT ON THE ROUTER:
1) has anyone played with different types of compression ; is there a preferred setting in terms better performance?

2) is it possible, somehow, to offload some VPN router functions to dedicated a home machine, in the quest to improve VPN router performance?

OPENVPN CLIENT ON WINDOWS:
3) in terms of a user interface, is there a free third party app one can use instead of the OpenVPN interface. When I was on a trial period with the ibVPN service, they had a nice app, but it only worked for their service.

 

[Mikeyy]

http://www.smallnetbuilder.com/othe...-up-and-using-openvpn-on-asus-routers?start=2

You have picture with performance numbers of asus routers here.

 

[Branjo Snow]

I like PIA as well. They were on my short list. Very responsive to a request I made for them to whitelist my email service during my trial with them. I did not end up staying though because of (1) they were not offering a bundled DNS service that I was also after for unblocking US contect from up here in the cold white north ( although its 90 degrees right now!) and (2), ironically, because of performance conerns ( 29 pages of it discussed here from 2013 to present day). But yours seems faster than mine comparing your router based 30 Mbps to my 15 Mbps, so go figure.

But we both started from 90 Mbps, and that's the point.

Router based OpenVPN cleint sounded so good in concept - hope it gets "fixed" soon.

Same here, I would love to just assign the VPN to the router full time and not have to worry about any other machines in the house. I guess the better the router CPU's get, the better they can do the whole encryption and compression thing. As to your next post I have wondered this myself, the PIA apps default encryption is 128bit AES/Sha1/2048bit, I was curious if the routers "default" setting would incorporate this or does it use a different kind. I have actually not messed with the encryption or compression settings on the ASUS router. I am sure there must be a point where a lessor encryption and compression yield better results in speed vs the security.

The speeds of PIA where I am (Chicagoland) are pretty damn good, my ping to the same server as say speed test by Ookla would choose, only goes up by 4ms from 10 to 14, so I am still able to play multiplayer games without any problems. They do however cover the DNS too as far as I know, when I connect I always do a DNS leak test and it always comes back as a single DNS server "Choppa LLC" in the area where I select the location in the US, I am also able to for example get a different netflix for the UK, watch their BBC One videos whereas before I would get a "not available in your area" message, I cant remember the DNS for there though but unlocking US content shouldn't be a concern.

I bought a years subscription with a walmart gift card, cost me just $50, and now they are offering a 2 year subscription for $60 which I am definitely going to get when mine is close to running out. I have honestly not read about a better VPN out there. What worries me though is the more famous they become the bigger the target they will be to be shutdown. They don't keep logs and the IP's given can be used by a lot of people at the same time, so even an IP trace will be inconclusive. Hulu have completely blocked the IP range though and this my be a concern as time goes on if more services want to limit access to foreign users. There is a Toronto and North York location on my PIA location list, I don't know if they are new additions since you tried it.

 

[CaptainSTX]

Some related questions:


2) is it possible, somehow, to offload some VPN router functions to dedicated a home machine, in the quest to improve VPN router performance?

Sabai Technology offers a VPN Accelerator ($299.99). It works in conjunction with routers running their dual gateway software. Using a VPN accelerator a normally get 95% of my contracted speeds from my ISP.

In the past Sabai required you buy a router from them pre flashed with their modified version of Tomato. I believe now t Sabai, for a price, will flash your existing router if it supports their version of Tomato.

 

[MediaMan09]

That VPN accelerator sounds interesting, but I dont really want to give up Merlin.

But more important - if there is a firmware flash based solution that gets VPN performance accelerated to 95%, why can't a future version of Merlin achieve it???

 

[CaptainSTX]

That VPN accelerator sounds interesting, but I dont really want to give up Merlin.

But more important - if there is a firmware flash based solution that gets VPN performance accelerated to 95%, why can't a future version of Merlin achieve it???

It isn't a firmware/software issue it is all about the hardware. The VPN Accelerator has 1.8Ghz dual core processor and 2 GB or memory. Compare that to most SOHO routers.

Same reason why your VPN client can run much faster on a PC than on a router, better and faster hardware.

You asked for a way to offload VPN processing and the accelerator is a device specific way to do it. While with PCs you can run the VPN directly, no way to do so with lower powered devices, streaming video boxes, etc.